CVE-2020-15174

In Electron before versions 11.0.0-beta.1, 10.0.1, 9.3.0 or 8.5.1 the `will-navigate` event that apps use to prevent navigations to unexpected destinations as per our security recommendations can be bypassed when a sub-frame performs a top-frame navigation across sites. The issue is patched in versions 11.0.0-beta.1, 10.0.1, 9.3.0 or 8.5.1 As a workaround sandbox all your iframes using the sandbox attribute. This will prevent them creating top-frame navigations and is good practice anyway.

In Electron before versions 11.0.0-beta.1, 10.0.1, 9.3.0 or 8.5.1 the `will-navigate` event that apps use to prevent navigations to unexpected destinations as per our security recommendations can be bypassed when a sub-frame performs a top-frame navigation across sites. The issue is patched in versions 11.0.0-beta.1, 10.0.1, 9.3.0 or 8.5.1 As a workaround sandbox all your iframes using the sandbox attribute. This will prevent them creating top-frame navigations and is good practice anyway.

### Impact The `will-navigate` event that apps use to prevent navigations to unexpected destinations [as per our security recommendations](https://www.electronjs.org/docs/tutorial/security) can be bypassed when a sub-frame performs a top-frame navigation across sites. ### Patches * `11.0.0-beta.1` * `10.0.1` * `9.3.0` * `8.5.1` ### Workarounds Sandbox all your iframes using the [`sandbox` attribute](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox). This will prevent them creating top-frame navigations and is good practice anyway. ### For more information If you have any questions or comments about this advisory: * Email us at security@electronjs.org

### Impact The `will-navigate` event that apps use to prevent navigations to unexpected destinations [as per our security recommendations](https://www.electronjs.org/docs/tutorial/security) can be bypassed when a sub-frame performs a top-frame navigation across sites. ### Patches * `11.0.0-beta.1` * `10.0.1` * `9.3.0` * `8.5.1` ### Workarounds Sandbox all your iframes using the [`sandbox` attribute](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox). This will prevent them creating top-frame navigations and is good practice anyway. ### For more information If you have any questions or comments about this advisory: * Email us at security@electronjs.org

En Electron anteriores a las versiones 11.0.0-beta.1, 10.0.1, 9.3.0 o 8.5.1, el evento "will-navigate" que usa las aplicaciones para evitar la navegación a destinos inesperados según nuestras recomendaciones de seguridad se puede omitir cuando una sub-frame realiza una navegación top-frame a través de los sitios. El problema está parcheado en las versiones 11.0.0-beta.1, 10.0.1, 9.3.0 o 8.5.1. Como una solución temporal, todos sus iframes utilizan el atributo sandbox. Esto impedirá que creen navegaciones top-frame y es una buena práctica de todos modos